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Company 



• Zscaler - SaaS solution for web browser/email 
security 

• VP, Security Research 



Background 



• Founding Member - Cloud Security Alliance 

• SPI Dynamics - acquired by HP 

• iDefense- acquired by VeriSign 



Research 



• Web security 

• Client-side vulnerabilities 
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What does it mean to be in 
a hyperconnected world? 



What has an IP address in your home? 
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What has an IP address in your office? 
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EWS Definition 

What is an Embedded Web Server? There's no universally 
accepted definition, but for our purposes, we'll require 
the following: 

1. Web server installed on the hardware during the 
manufacturing process (not an optional component) 

2. Not designed for high performance 

3. Limited functionality 

4. Serves as an administrative interface to the host 
hardware 
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Threats 



► DoS - Disable functionality 

► Privacy- Access confidential data 

► Data Integrity -Alter confidential data 

► Confidentiality - Firmware upgrade with new functionality 

► Financial - Unauthorized use of bandwidth and services 



► Improperly configured networks can make internal appliances Internet accessible 
►Vendors target ease of use and EWSs therefore have functionality enabled out of the box with 
a default password or are wide open 



■ Devices with EWS generally not considered during security audits and are not therefore 
monitored/segregated 
• Insiders have the advantage of physical access to the devices 



Java Vulnerabilities? 
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Internet-connected coffee maker has security holes 



C^SecurityFocus' 




Symantec Connect 

A technical community for Symantec cjstomers, end-users. ch 



M Jura Internet Connectivity Kit Unauthorized Access Input-Validation Vulnerability 
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Jura Internet Connectivity Kit is prone to an input-validation vulnerability that can result in unauthorized access to a compute' 
cennected to an IMPRE5SA F90 or F9 coffee maker 

Successful exploits allows attackers to access an affected computer will the privileges of tha user running the application, 

Attacfcers car also modify coffee maker settings ir a manner sufficient to disable devices to the po'nt that repair is required. 
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Energy Savings 

Internet-Connected Appliances Could 
Lower Energy Bills 

A pi let test in Washington end Oregon lets dryers arid water heaters check electricity prices and 
decide if its wcrth waiting until sTf-peak times. 

By ney la KHrtan information wee it 

AitaV 1 S. i'Ofifi 1 ?rtO AM 
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Bnxra 19 unt i^ 200 people in WasrK'H^un und Oregun (ttking purl in un experiment thai 

lscs real-tine pricing data to let people make smarter choices abou: energy use. It's £ 
tny project with Lhe potential to significant y change electricity markets at a time when 
energy is back on top of public polcy concerns. 
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Dryers and Water Heaters 

Tho Gri-cWsa Iritiative. led by the Pacific Northwest National 
Laboratory, is testing drye/3. thermostats, and water heaters that 
are wireless I y cur met; Led Lo t surver. wiich uses -l broadband 
connection to fetch prices. Homeowners also can set monthly 
energy budgets and rnoiitor in real tine whe:her tney're sacking to 
them. In anotie r experiment 150 dryers are equipped with a chip 
that will responc to instabi ity on the power grid ard shut off the 
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consLmption-or shift it to off-peak times. That coulc let utilrjes 
put off building new power plants, says Don Hamme r st r om r 
Pacific Northwest National Lab's projec: marager. 
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Google Announces Plans For Next Android 
Version-Ice Cream Sandwich 



All Things Digital, 

by Ina Fried 

Posted on May 10, 2011 at 9:25 AM PT 




Google kicked off its I/O conference with a bang on 
Tuesday, announcing the imminent release of an 
update to Honeycomb for tablets and televisions as 
well as plans for the next major release of Android: (~ 
Ice Cream Sandwich. 



Down the road, it also looks to expand Android further into the home with 
plans for a home hub, unified accessories as well as a protocol for Android 
devices to talk with all manner of home appliances and utilities. 
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Process 




• Fingerprint at least 100K web servers and identify as many EWSs as possible to 
better understand the threat that they may pose 





Challenges 










• Millions of IP addresses need to be scanned 




• Scanning must therefore be very light weight and scalable 


• Existing fingerprinting tools (i.e. NMAP) do not have a strong database of EWS 


data 



• Traditional scanning/fingerprinting tools 

• GHDB (Google Hacking Database) 

• Header scans 
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X 










Device 






Job Status 






Msil Box 








Direct Print 






| 




► Mail (o 
Administrator 


























f*j±rti'% j n 




v>cHiun 





Remc^ Ul 




Language : 



I English * $ 



System Mcnayei ; RaJHS Sup port 

3 u sport ; 




3--*f=£-\* 



> gg*^*-Jl, 



Canon 



GHDB 



£3 

••■•—••-::>• 



U^-bUl 



yt-hui 

Copyrig-it CANON INC 2C0G 
/.ll Rghte Reserved 



REE: 



JRC2570 
JRC2570 



ifHIEffi' :2311 0V.7 0i:15:00 






H^ESf^^ : ' Japanese jjj 

S^^M* : 



SJ 



GHDB 



Web images Videos Maps News Shopping Gin ail more ¥ 



Gougle 



-*§ Everything 



lntltle:"Remote Ul" "Copyright CANON INC" "Printer Status" search 



About 127 results (0.20 seconds) 



Go to Google.com Advanced search 



■I Videos 
■ News 

Shopping; 
T Mors 



Remote III <Top page > : iR C348Q : iR C4Q8Q 

16 Apr 2011 ... Printer Status : Printer Status Sleep mode. ... Copyright : Remote Ul 
Copyright CANGN INC TOfW All Rights Ffesfirvftd ... 

68.181.153.20/- Cached 

Remote III <Tcp page > : iR C348Q : iR C3430 

14 Apr 201 1 ... Printer Status : Printer Status Ready to arint. ... Copyright : Remote Ul 
Copyright CANOh INC. 2005. All Rights Reserved ... 
128, 35.1 Or. 74/- Cached 



Challenges 

• Google clearly suppresses/blocks GHDB queries (Bing can actually be better) 

• Ul Internationalization/rebranding requires many queries for broad coverage 

• Automation requires screen scraping 

Go gle s °"y... 

We 1 re sorry... 
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© 2009 Google - Google Home 



Header Scanning 



HTTP/1.0 200 OK 

Date: SUN, 23 APR 2011 21:31:45 GMT 

Server: CANON HTTP Server Ver2.21 

Set-Cookie: iR=3753281; path=/ 
Content-Type : text/html 
Transfer-Encoding: chunked 

Approach 

• Simple multi threaded Perl script to send HEAD requests 

• Amazon EC2 micro instances leveraged - highly scalable, low cost 
Advantages 

• Ease of automation 

• Content based signatures not required 

• Highly scalable - small request/response 

• EWS header information unlikely to be spoofed 
Limitations 

• Not all EWSs have a unique Server string or header info. 
Result 

• Goal of fingerprinting ~100K web servers achieved 



Shodan 



Comprehensive, searchable database of web server headers and telnet banners 

Provides country of origin IP and rDNS data 

Commercial servic^users must register to receive >10 results and pay for >50 

Results 1 - 10 of ^pu73250% CANON HTTP Server Ver2.21 
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HTTP/l 200 OK 




Added on 24.0+ .20 11 




Date: SUN, 24 APR 20 L I 05:14:57 GMT 




Details 




Server: CANON HTTP Server Ver2:21 
Set-Cookie: iR=L225l*9;path^ 
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dntont-Type: text/html 
Transfer- Encod ji£ : chunked 
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Added on 24.0+ .20 11 




Date: SUN, 24 APR 20 L I 04:53:3£ GMT 




Data i la 




Server: CANON HTTP Server Vcrf 31 

Set-Cookie: iR=306:J Bo" ; path^' 








Content- Type: text/html 


shodanhq.com 






Transfer- Enced ins : chunked 






Printers/Scanners 



'Mistakes are the portals of discovery 

James Joyce (1882-1941) 
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HP Printers/Scanners 



Headers 


LaserJet 


OfficeJet 


Photosmart 


Server: Mrvl-Rl_0 


/ 






Server: $ProjectRevision: 5.0.1.23 $ 
Server: $ProjectRevision: 4.2 $ 
Server: $ProjectRevision: 4.0.2.38 $ 
Server: $ProjectRevision: 4.7.1.12 $ 


/ 






Server: HP-ChaiServer/3.0 
SERVER: HP-ChaiSOE/1.0 


/ 






Server: Virata-EmWeb/R6_2_l 


/ 


/ 


/ 



Numerous embedded web servers across hundreds of products 



HP Printers/Scanners 



Headers ShodanHQ 



Server: Mrvl-Rl_0 22 

Server: $ProjectRevision: 5.0.1.23 $ 673 

Server: $ProjectRevision: 4.2 $ 1,498 

Server: $ProjectRevision: 4.0.2.38 $ 4,514 

Server: $ProjectRevision: 4.7.1.12 $ 946 



Server: HP-ChaiServer/3.0 
SERVER: HP-ChaiSOE/1.0 


18,011 
39,071 


Server: Virata-EmWeb/R6_2_l 


59,269 


Total 


124,004 



Admin Password Set for Identifcd 

Scanners? 




HP Printers/Scanners 




• Manage devices -security, logging, networking, etc. 

• Monitor devices - ink levels, alerts, etc. 



Observations 



• Laserjet printers rarely have password protection enabled 

• Hundreds of thousands of HP devices are web accessible 



• Reconfigure device - networking, Ul, etc. 

• DoS - lock device access, cancel jobs, etc. 

• WebScan - remotely access scans and trigger new jobs 

• Fax Forwarding -forward incoming faxes 
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Forward all 
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faxes to an 
external fax 
number 
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HP Webscan 



HP Photosmart C309a seri&s 



Webscan 
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HP Webscan 
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found... 
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documents 



HP Webscan 



What we 
found... 
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HP Webscan 



What we 
found... 



Signed checks 



What we 


HP Webscan 








found... 








fllHt 




LM HW1' 






-^^^F m . p-^.-^=- u ^^ . ,■ . *"** 






fe *" IBissa ™' 








Technical 
reports 








=ast" " 


G-cmr 







What we 
found... 



HP Webscan 






*k*yJ#p tor rcndDi Willi THubllli Ep 

it^Trmc-^H^iiH^Kin 1 



1 ih ' «irHii-»n. - | 
rarnaaLhnf: 



Clkalfct 



•UHfWt Cm PnvMer: 






A«4o™J (kuly Kspito ri 1 'tr 






X 

IlllilJ 



1 .1 WTO -T blrtWi SpnJnnr 



Forms 



HP Webscan 



What we 
found... 




Jim is a Certified Mold Inspector! 



Prevalence 



HP Webscan 



• HP scanners for several years have included Webscan functionality 




• Webscan functionality enabled by default without password protection 

• Many networks are misconfigured to expose scanners 



Automation 



http://[Scanner 
IP]/scan/imagel.jpg?id=l&type=4&size=l&fmt=l&time=[epoch time] 

• Predictable URL path for scanned documents 

• Request above URL every second to retrieve any scanned documents 
HP Scanner Check - http://zscaler.com/research/blog/hpscannercheck.pl 



Photocopiers 



"Copy from one, it's plogiorism; copy 
from two, it's research/' 

- Wilson Mizner (1876 - 1933) 





Sharp Photocopiers 



ICtocvnwrl AdmlnfjtratJQn Function 
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fcatwbrh F-dl-der 



ACTION; Demonstrate how to use the Document Administration Function. This function is used to 
forward all data transmitted and received by the machine to a specified destination. 

BENEFIT; Allowing administrators to monitor and archive inbound and outbound 
communications is an important security feature for protecting valuable 
company information. This function also gives administrators the ability to choose which 
destination (E-mail Address, FTP, Network folder or Desktop) to store their forwarded 

data according to their company's storage needs. 
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Ricoh Photocopiers 



c^ Shodan Results 

• Query ■* "Web-Server/3.0" 

• Results -> 19,252 

• Server string alone offers 
unique identifier 






HTTP/1.0 200 OK 

Date: Sun, 24 Apr 2011 06:26:01 GMT 

Server: Web-Server /3 . 

Content-Type: text/html; charset=UTF 

Content-Length: 304 

Pragma: no-cache 

Set-Cookie: cookieOnOf f Checker=on; path=/ 

Connection: close 
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RICOH Aficio 




Cached copies of 
previously copied 
documents 
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Ricoh Photocopiers- 


■ Document Server 


LANiER "-0151 
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Ricoh Photocopiers - Document Server 
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Security Systems 



"l/l//?o controls the past controls the future. 
Who controls the present controls the past. 

- George Orwell (1903 - 1950) 
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Security Systems 




Webcams 




Networking 
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"/ hear there's rumors on the Internets 
that we're going to have a draft.' 

- George W. Bush (Oct. 8, 2004) 




Cisco 



^ Shodan Results 

Query -> "Server: cisco-IOS" 

Results ■* 429,736 

All of the first 50 results are 
either password protected, or 
inaccessible 
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HTTP/1.0 200 OK 

Date: Sat, 31 Jul 1993 21:26:32 UTC 

Server: cisco-IOS/12 . 1 HTTP- 

server/1.0 (1) 
Mime -vers ion : 1.0 
Pragma: no-cache 
content-type: text/html 



c$ Shodan Results 

Query -> "Server: cisco-IOS" 
"200 OK" 
Results -> 12,239 

33 of the first 50 results were 
not password protected 
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■ No Password ■ Password/Inaccessible 



Cisco 



• Manage devices 

• Monitor device health 



Observations 



• Numerous Uls identified with varying degrees of functionality 

• Many are clearly dated, based on copyright © and browser identification (i.e. 
Netscape 7.0) 

• Initial 'router web setup' screens often encountered 



• Reconfigure devices 

• Reroute traffic 

• DoS 



Cisco Catalyst Switch 



Citco SvtTEHt Close Window 



Toolkit: Roll over tools b 




Cisco 



HOME 



'Summary Statu 



EXPRESS SETUP 



HI LJRTFR 
MANAGEMENT SUITE 



TOOLS 



HELP RESOURCES 



Network Identity 




IP Address 




MAC Address 


00:OF:34:CF:3D:00 


System Details 


Host Name 


SW-NDC-3750 


System Uptime 


24 weeks, 2 days, 15 hours, 17 minutes 


Serial Number 


CATO10NQ71B 


Software Version 


12.1(19)EA1d 


System Contact 


nocObluemediacommlcom 


System Location 


Cebu 



Rtfrei-M 

Copyright fc}2003 by Cisco Systems. Inc. 



Close Window 



Cisco Catalyst 2960 Series 



CauJyit Zftt SiriM D«vk« HiNttr- a.5tnKtta r l r D2G 



|g^KnfrPi.h i^ft-ml '^Sm ml pari* ^ KiiILwjuf HfHjr.iilp "JLtj+rtj ^H*lp 

Unfam*; J£ ***ks, 3 divi. 1G huurs-. Li rn--.ji.ci 






--■•-• k-- 

CISCO 



Nirt rcfrcj^m IB- »andt 



Vttw; ^Jt*ui4_3 




Hove bw (wlrrtir e\-«f t** p*t*j 'or rMrt InrgrrMfc**. 




V Hofuhsf 

> Hapxwijjjybi 



PtaK Mrr*: 


&L.Sfr»rtrt. ].*!(. 


ProtfjcHD: 


WS*CZ9Hre-BTC* 


]P.*udrar5*: 


B9.aL.LTO.2DG 


MAC Mdrcw: 


EB:D4:K:A3:79:BD 


VirpQf tD= 


vfl? 


$«r*1 number 


nCXM3£u*«? 


S*n>*i* = 


ii.l*«5S£t\ 


Cnnfctd: 




.in.. ■ i 





T« mp 



36 *C 

OK 



P&ft UTllLZAtkfrn 



'.'h-« Trrrdi I Vmw M SLotolk? 




Cisco Catalyst Switch 



tlltl in r Ell CbwWndaw 



Cisco 




1tLK KLSUUHLfcS 



UffiLiL Ujtunttiy: 

Switch Pwwwd; 
Opttonii Sitting* 

SyiUm CvntKt 

T«lrHt Achm: 
Tabu Panvrtfj 



Confirm Switch FtuMKd; 



RV MX -3750 



nwfHHwfTftf aw ^1-1*11 L«*ll*n; 



CEnvWl ftDmM* 



Cornlrn Tdrwt P«H*wd. 



SNHP: OEnftil ODMIt 

SNMP toad f^mnnuThEv MuKhf«M4 SUUP WWita Cernrmrrfy: 



Change switch 

password/change 

routing 




:I:.v.l--.-vv«a 






Enable telnet 
access and change 
password 
Enable SNMP 
access and change 
password 





















Cisco 


Catal 


yst Switch 




(;[>-nrtiirtjj[^H 


) 


3u?Blt 












• Web based command line 




[Irnat.* n tDB|HU-ar T A,:rf, aJ - L i c t ar.lry 

ice »p* ■ I en$ii t*i 

Cittit* a tc-rooraxy Acc«hi -Lli £ crtr* 
irchiv* 

ur.tqc archive tilrm 


i 






±4 

aim 


interface 








ntKBT *u-ietlrtn* 


• Can be leveraged to 








= ^''"' r •-"■-— — completely reconfigure the 

niipv ("run *m« ii'.rr hn unnlhnr 

awbugg-iiig funirtioiLH (--nn hIhd ' ur.itnbuq- ' J U " V 1 L* C U 1 UULCllll 

delate 

us * 1 "** m# configuration information 

in- :t 

Dot Lx Baric Cocnajid* 

ilram a [ilHvtUa 
fmrat 

fgrnit h S^unyn-Lun 

rjn.k, i f : : i -:^sr -■- ■■• • 






©- 












Cisco 


Catalyst Switch 




Ping 










Protocol: ,_ ip ~T) 












Destination: 


(n . n . n . n) 


• Web based ping tool 

• Also makes for a handy 
network scanner to 






Source interface: 0.0.0.0 


: 




Multicast interface: none 


* ] 


Repeat Count: 5 

Timeout (seconds): 2 
Datagram Size: 100 








Time To Live: s 




identify otherwise 








Type of Service: , T] 
Verbose: 




inaccessible hosts 








Set DF bit in IP Header: □ 












Validate Reply Data: □ 










®- 


(Ping j £ Re set j 























Cisco Catalyst Switch 



sortwiro lipoma* 



^ Con figure 

■ *ort Scf.inqa 

■ ^Mpfl^rt. firtVfl 

■ ^assart ■' Reset 

^ MafiEeianc* 

■ lemec 

■ ^jftji'fl™ tlpgirae: 

■ Nk wndf ATtivh-qrih 



The switch Is running Cisco IOS software releaser 1Z.2(44)5EB 

- <Go to h^^7^^^.tipgp.gDTi/D\ib J ^ ; EW 1 ?f'"^r/to find ttia btest Of» BOS 

K**ir* fjr cir fife fwmir] far cr« iw ufi . 

* L>Wiii CAD! me Tar tihe 10 v*u' h_ « so 3 i^awDTt cyive. 
*■ KrirYl thr Ear Air: :ri upgrade t-r^rp th* Hf&ivs*?. .. fci.tlr.r. 



[mage Hie HameJ [ Choim Fit J -* H r ie et1«d 



Install a custom (backdoored) version of I0S 



VoIP 



"Well, if I called the wrong number, why did you 
answer the phone?" 

-James Thurber (1894 - 1961), New Yorker cartoon caption, June 5, 1937 




VoIP 



• Manage devices - security, logging, networking, etc. 

• Debugging - run diagnostics 




• DoS - Disable phone system 

• Reroute VoIP traffic through proxy for capture/replay 

• Delete VM 
•Forward VM 



Vendor 


Product Server Headers 


ShodanHQ 


Polycom 


Soundpoint Polycom SoundPoint IP Telephone HTTPd 


6,737 


Polycom 


CMA Apache 


N/A 


3Com 


NBX Virata-EmWeb/R6_0_3 


1,351 


Snom 


Various snom embedded 


1,114 



Polycom SoundPoint 



$£ POLYCOM 




SouftdPalnt IP Configuration Utility 


PrtyiamVtitP 


^^ 


Hum* CwiCcrt. Sip Corf. P,*ftitritkHi 


Fw£lttnt4fl PflHHWtfllS 


R*wr&!i&ft1 RiOir-aw I RatfMHitonJ R«fnr.hiiGA* R*flST*:lwi Pe-a*riiton6 










■ 










iMficmcmn 






u ifmy mnt 








1 -Mj tr 












M Aj^iUfmiC 












^fciT Pi u*ar: 














. . 






^^**ili 










"I yf--« 1 •} *»■* w bm 










"hfrd PirV Htairw ^^^^^^^^^^^B 








5*%*r1 






Andrew 




"~^ 






P*r 












DNSLKJta.'f 


c^i"ipT : ] 










BpfeM 










ICBJIBK 












Jttfr>T*n*Qu: 








fto^ Muf t^nu-rl 








L>n» 5*tffl Tirr* Qj\ 





Sipura SPA-2000 



SIPURA 

tochnology, irtc, 



Sipura Phone Adapter Configuration 



Info 


System 


SIP | Provisioning | 


Regional | 


Line 1 | Line 2 | User 1 | User Z | 


..•>:'-■.•.• ...-/ : I advanced 
















System Configuration ^^^^^_ ^^^^ 


^^^amii^y^j 


domains: ~^^|^^. 
yes^5 










Enable Web Serv™ 






Web Server Pot: ^^^ 


80 


Enable Web Admin Access: yes _^J 


^ Ac m in Passwd: ^^ 




User Password: 










fcS^acectio-i Type 








DHCP: '"^^^ 












Static IP: 








NetMask : 


Gateway: 








Optional Network ConfigLration 


HcstName: 






Domain: 




Primary DNSl 






Stuundary DNS: 




DNS Server Order: DHCP^anua 


d 


DNS Query Mode: 


Parallel J 


Syslog Server: 






Debug Server: 




Debug Level: _^J 






Prmary NTP Server: 


150.l0l.17fi.205 


Seconc 


ary NT P Server: 203.217.30.156 







( _ Undo All Changes ' [ SLbrnit All Changes ; 



L ser _■:■: - sasic | advanced 



Copyngn: ?2cC3-2cC£ Sipura Technology. All Rights Rsswvad. 



3Com NBX 



■EEsncmaa 



Q ■' vi"— m 



•9 % hi b ? & a 



?M '- DflflW- C«Fta* UCTWK*H III*' 



DpGWSfil titpDT4 



!S* (D £ 

[iHlBTTi 

uonngurauon 



Lonnguration uonriguranon 



^ ^ ^ ^ 



H.ii »>. Ti^ 'ri: 
IVf. WDM 

«1. AdvJrtt«l WDH Stcb^fli 
Ml V^PI tnrtfDi ForjTirljn. 

1 ?5v WDM Dper.riL-'-it M,iri*g#'n#nc 




ritMWiMiL K^n^ij^nFrJ 1 



KilHrtirpH ^H'n-.-. 



Loci I Mw n ji 3imr 

TrnfeDMrHMT una jvtwtymi (mm; Hi^^ 

Mb; nurfea- >/ i-trd Amdi ^B^^ 

Max drre brfor* onujt cketm (mhifc M 



Q 



VP1M 



Tih Voh-c Fro : p; - .'.cr' V • <■ l i cranio l 



■,"-,, 



tin c^nfi^ux uul cubit Bin. ftifajre in the OH Site Xotirtcitirtr. tecban oJ tht VBX X-rt.Sri utility. 
Usrn ; Uw N B A ?Jcffi*l uUUti , i« tiu] wruieut acvKU VJIM puonxttti en£ cfet V'fLVl &UEus . 

?-m ihci-e ijhjik:-: fnnnfsrc iifrmudym: 

* CiKiaifMiii^iflMbxai 

* Ad vurad Show 

NOTE: VPfM ute-i qd S-SCTP str-*r 4b1 is c**«Jdod ji i*c NBX optraboj] ratm To avod 
ubtsc by ipiHTLTKrv. on. 5 VT? kivct sJiouLd tfrv-nyt be pruircfcd "bf c fsc^'ulL. ConCipu^ Lw 
furwilJ Lu alkiw -bl-ittci (d jjucL 25 ua. Qh: ^ BX ^vtiil uailjf .luii vlIW VE*tN! br'dciii^ GuL dltxJ lu 

UuJ vir V VIM DH&iRcs ^ Uw chcrr tybbm. I tie NJJ A iM I i 1 senci ib slffed odL^ wdkd 0k 
s>(^iti km j viltd lcou: I'ltt YP[V1 



£L2J 






Snom 



Welcome to Vour Phone! 



VERSION 







tii 



- jfluu «r* ewcn open dem * 
..ar>€ n*K> rrer*-7_L3£i3_Dzs 



l[ferftfr2 

Ik.Mr q 

]rterow4 

]*!«>* 

1111^7 

JOeiA4jt4- 

liX-^Xv !(■ 
JOtiXitpr II 

'■ z h- : l .- 
EHtOH 



Various 

debugging 

tools 






*— 3«nr>0i 



snom 



Hid ipcb vftifacE **b«ci *. •nrf «c ^-3 j "n icft ypur phenc ue- cwe*^ and be- ocecxi ■tf^c «d>a^ci Pfcthn^a. 
Td dlfll 4 'Hunter, jua *f*f 1fa noir^r h tfa VU Wfi", T*bV £8* i^r a simrfe ^LtphQne ■tfNHT'ftjfl 



[ I'liH^iM L-H.J.Lnj* >4NJ SH. 



} 



Make Calls 



IMol IHFnlKii » 



- j:- ::i: Li 
4i2W»lll* 

41-25,'MlL II: 

JOT^m M: 
2 J«k27i::.S 
■VM/WO.! IS: 

= j-> c . 1 : ID: 

MfllflOl I li 

*jzr/mi 1* 

■: 2 r ::i: :r 
I 7' . : " I " IDi 
i'!i;;i: id: 

vnfmu h 



3I*.*7 
KM 

7 7-f 



U*U3 
1*1 IV 

HSM 
I 14 

:*S-UI:54 
iSUOT 



: LPGiUEttrftty N 

TLMflLM.IM ! 113 
JLMflLM. 146 2.2:3 
TLMfLU.lMJ.2H 
"LWifl LSZ IW 3 M3 

I ■■Hill l II ■■ ■ ■! 
3"LWe L&2 14* 3- HG 
TLMf L«.1« 3 ?:a 

■Ll"iPLSJ IW J £.1 
TIMCLq? 1H 1K1 
TLpa#L»Z 1« 1-Z40 
TLQKL9MH12H 
PJ B HJtL UmJB 

TLDULSMHllD 
Tiiiigum iiij im 
T|Mfl L92 1H ] K3 



Snom 



Call 
histor 

y 



Welcome to Your Phone! 



I tone 

£e<up 

FrrPrrri-H r-% 
£(K«J Did 
I uiilUmii Kcyi 
Idrrvhiy 1 
[riirvrtry ■> 

letantJcy 1 

IrUFYflty d 

AEfcun URL ^tnin^i 

ftdv#nc*d 

TirusCcd CcrUiulei 

Mil !u.< • ■> ■ IpM !■• 
Slain. 

■jt*!*™ I- --'of m a b«n 




- vw can cuH-wrne Uw K'*#i of your nan ptor*? 

■ ym im-rvrn qwr AnMrii ymr dnnn |*cnr r 



Tliii FnL ■ lie ■'a-.c pimkca 1. tut 'w l"'J Iuk. t «■*" jtiuiic -i|f iiwickUy ci™J Ll> flmcaa LTic cJi 
"n r 1,1 » - .n-h-r-i. j, *,r wihir t*+ nujrh*r In hh* ft* d t+It.-. VtHi «*H *rt*T« ffenfJ* t*taph.= n* 
fl1 MOTmiSIWJnr IIRI lib- i-i'ii^.-^ininni 



r (n. 9 . 



Bl-ll * PTunitl 



Dutcfinng ]f1-pnlily: 

JJ/^H^Iifriip.graOfrfi.Prft +| Sit 



Setup -^ Advanced ^ HTTP 



HTTP: 

User: 

Password : 

Authentication Scheme: 

HTTP Proxy: 

HTTP port: 

HTTPS port: 

Register HTTP contact: 

Webserver connection type: 

Auto Logout (rnin): 



QEigest ©Basic 

ad 

443 

QonQoff 

[ httporhttps * j] 



Snom PCAP Trace 



PCAP Trace 



Home 

Setup 

PrSfSrtncK 

S)p*ed Dial 
Fi^Hlign Kfcys 

TdftriWf 1 

idem** 2 
utorirary 3 
tdtartWya 
Identity S 
IdeiMy 6 
HdHtty? 

Idcf4M?9 

Identity 12 

Jkiicin URL S^rtirqq 

Advanced 

Trusted Certificates 

Sarrwe* Update 



To sec *hafc is qafvz on en the network lever, you can qencratc PCAP hies on this poqe. These hies 
can be read wrtti various network tools,, for example LthenuL I a start recording, press the start 

button and tO A nunlnn if*™ twin : ' --""- 



(In avnrfl rwrff— 



Opening Trare.rwa^ 



annr 



Vnu have 1 c hoven to open 



Start Stop 

ir,it u.pup 
CRd? rtcne to i which *i a Binary Fi Ic 






f no. hi :| 
Would you lib* ro save rhK file' 



Cancel ^ f Save Fit* "] 



Web interface/VS/PCAP Trace 

HWi-hlnHrfnrr | Vfl 
u-f^i|ri' Ehtrtah -Dttnch 



, • ; - ■ ■■ ■- .- ■ ■ ■...'•■■ . • 


'.'t,*" ' 


*rJ 


IBAl I«, U»^ji FiP.taipSfii in, B-sHJiiF rft iRAly?ft 


SFJj 


urLwLifi it§ff% i,n She pfwne i cuwrii-i ini-ir*-. 











* fey pmsirtg the ""lAarL" buL'un. (rate 
r«CT#rfl >vili iLurr lecoidinf ewr 
incoming or oJLjoir^ packet addrc-Mod 
VtftTGTi j»of phone 

* Pressing the ■rfop 1 ' buCtwi will, tfop 
Ir&c* fWCftflfrfi. 

+ if clifkkfYf mi Uw- "henr-" Link 0w-1mor 
n-IIL br iiwd 1ud ihr ^Mnnm Hlr. 
ThiL l*le will the E)crsnfl«OF "pu/can 
x fdsUr fliidlyitd tm-U'i tuub- Like 
'chprwiL i? of Uftrpdurt rff. 



'.Iin j-u u-l:rii, tayv* nuT HrtrwrrfcrlH-TK- roijrhl. i :i-kt fin lllflT "Jrfrrr cn:ni: , l rtr--.--r :?rw 

^::tf serpen van verso-iedtnsjcn MKrAi-^ccIs (i D. r> <-«hark!i e«^*lEsen Harden. Um dre 
.iulxe-d-furg zj teamen, drudwn £* am Startknapl ur-d uir : * Airaeidrunp a.-siappen. den 

Mi:|:kmi|ir. Hrtir ln:ilniik.rn Kin lining ilnfi ilir IMrn n -nrrin KngpufTr: -ar^|K-i=hr-l, unidm {urn 

jherjufezu VHn>ndflm|i rod die din Awn%ihm* *r¥*nb#tll ntaw-ifn EmfluE nuf die Pan'ttfrninea 
*a r.ftrjwK Kabul fcjuw_ 

;.l.*r ■!.,.„ 
KJk r k,n ftfr riflf Mrt- lim, jklMilMn r*C** Ti"«* h *#*&* * *- <P pKMCtr 4 MM*}- 




Unique Servers With 25+ Hits 



18000 



16000 



14000 



12000 



10000 



8000 



6000 



4000 



2000 



^m 



...but what the heck are these? 
k> We know what these web servers are... 

2,737 unique server headers identified 



Free/Comm 
ercial 



Top 10 EWSs 




0.00% 



0.50% 



2.00% 



3.50% 



EWS Vulnerabilities 



Vulnerability 


CVE/BID 


Vuln. 
Ver 


Shodan 


Virata-EmWeb 


URI Remote DoS 


39257 


6.0.1 


104,919 


Unauthorized DSL Modem Access 


CVE-2006-0248 


6.1.0 


19,905 


Allegro RomPager 


UPnP HTTP Request Remote DoS 


45309 


4.07 


3,735,427 



Millions of Internet accessible devices are in use today running EWSs with 

known vulnerability 

Most devices have never had a firmware upgrade 

Some cannot be uopgraded 

...and this is an area of research that has been largely ignored 












c 


Vendor Solutions 












• Some functionality does not offer adequate value to justify the 
security risk 








E Password protection 








• Risky admin functionality should not be enabled by default 

• If enabled, it should be password protected with a unique password 
(i.e. serial number or MAC address) 








B Future Proofing 








• EWSs should have a user-friendly, firmware update capability 


)«**• 




















G 


Enterprise Solutions 




! Preventive 










• Any network enabled device should be subje 
same security processes as a computer 

• Hardening- Password protection, disabling i 
features, firmware upgrades, etc. 


cted to the 
mneeded 








! Detective 








• Internal/external pen tests should include EV 

• Traditional scanning tools may (i.e. nmap) m; 
appropriate 


VSs 

ay not be 


>«*■ 













Patch Management for EWS 



Frequency 



When did you last patch/scan your photocopier? 



Mechanism 



Does the EWS even have a mechanism for a firmware update? 





r 










• Traditional security scanners are unlikely to uncover/reveal 


vulnerable EWSs 


• Manual effort will be required 


• Look at both external and internal threats 



Outdated EWSs -Allegro RomPager 



Version 


Shodan 


2.00 


3,835 


2.10 


18,481 


3.02 


1,665 


3.03 


3,754 


3.10 


19,341 


3.12 


6,514 


4.01 


11,456 


4.03 


160,807 


4.05 


530 


4.06 


8089 


4.10 


1960 


4.30 


12601 


4.32 


1114 


4.34 


9910 


4.61 


3078 



"In December 1997, Allegro delivered 
several additions to its embedded Internet 
applications product line. These included 
version 2.0 of RomPager../' 

"In March 1999, Allegro announced version 
3.0 of the product line..." 

"In April 2007, Allegro released version 4.6 
of the RomPager family../' 
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